b"FY 2013 Evaluation of the\nSmithsonian Institution\xe2\x80\x99s\nInformation Security\nProgram\n\n\n\n\nOffice of the Inspector General\nReport Number A-13-10\nJuly 9, 2014\n\x0c            Smithsonian Institution\n           Office of the Inspector General\n\n\n           In Brief                  FY 2013 Evaluation of the Smithsonian Institution\xe2\x80\x99s\n                                     Information Security Program\n                                     Report Number A-13-10, July 9, 2014\n\n\nWhy We Did This Audit               What We Found\n\nThe Federal Information             During our fiscal year 2013 audit of the Smithsonian\xe2\x80\x99s\nSecurity Management Act of          information security program, we found that OCIO management\n2002 (FISMA) directs the            could strengthen configuration management by timely\nOffice of the Inspector General     implementing security patches, improving workstation\nto annually evaluate the\n                                    configuration settings, and deleting obsolete software. In\ninformation security program\n                                    addition, management needs to:\nof the entity. Although not\nsubject to FISMA, the\nSmithsonian has adopted                 \xe2\x80\xa2\t Strengthen procedures for remote access,\nFISMA through its policy                \xe2\x80\xa2\t Improve system backup processes, and\nbecause it is consistent with           \xe2\x80\xa2\t Ensure that staff are appropriately trained in the areas of\nand advances the                           incident reporting and security.\nSmithsonian\xe2\x80\x99s mission and\nstrategic goals.                    Further, we found that Smithsonian Astrophysical Observatory\n                                    (SAO) management did not fully enforce configuration and\nThe objective of this audit was\n                                    account management procedures. We also found that\nto evaluate the effectiveness\n                                    management needed to strengthen its\xe2\x80\x99 physical access\nof the information security\nprogram and practices at the        monitoring capabilities and report on continuous monitoring\nSmithsonian Institution             activities. Lastly, various sections of SAO\xe2\x80\x99s system security plan\n(Smithsonian). We did this by       for one system was not current, accurate, or complete.\nassessing the Smithsonian\xe2\x80\x99s\ncompliance with (1) its             Finally, we found that the National Museum of Natural History\nsecurity policies, standards,       (NMNH) management needed to improve account modification\nand guidelines, and (2) the         procedures for its research collection information system.\nstandards and guidelines\npromulgated by the National\n                                    What We Recommended\nInstitute of Standards and\nTechnology (NIST).\n                                    We made eight recommendations to improve OCIO\xe2\x80\x99s information\n                                    security program. We made five recommendations to SAO and\nBackground\n                                    two recommendations to NMNH to improve their information\nFISMA requires organizations        security practices. These recommendations address\nto adopt a risk-based, life cycle   improvements needed in seven information security control\napproach to addressing              groups: configuration management, access control, physical and\ninformation security that           environmental protection, contingency planning, incident\nincludes annual security            response, awareness and training, planning, and security\nprogram reviews, independent        assessment and authorization.\nevaluations by the Office of the\nInspector General, and reports\n                                    Management concurred with our findings and recommendations\nfor the Department of\n                                    and has proposed corrective actions.\nHomeland Security and\nCongress.\n                                    For additional information, contact the Office of the Inspector General at\n                                    (202) 633-7050 or visit http://www.si.edu/oig.\n\x0c0             Smithsonian Institution \t\n\n             Office of the Inspector General\n                                                                                       Memo\n\n\n\n\n    Date     July 9, 2014\n\n      To \t   Deron Burba, Chief Information Officer \n\n             Danee Gaines Adams, Privacy Officer \n\n             Jeanne O'Toole, Director of Office of Protection Services \n\n             Juliette Sheppard, Director of Information Technology Security \n\n\n     Cc:     Albert Horvath, Under Secretary for Finance and Administration and Chief\n              Financial Officer\n             Porter N. Wilkinson, Chief of Staff, Board of Regents\n             Patricia Bartlett, Chief of Staff, Office of the Secretary\n             Judith Leonard, General Counsel\n             Cindy Zarate, Executive Officer, Office of the Under Secretary for Finance\n               and Administration/Chief Financial Officer\n             Stone Kelly, Program and Budget Analyst, Office of Planning,\n               Management and Budget\n\n    From     Epin Christensen, Acting Inspector General    ~ltf4':t   ----\xc2\xb7\nSubject \t    FY 2013 Evaluation of the Smithsonian Institution's Information Security\n             Program, Report Number A-13-10\n\n             Attached please find the final report on our independent evaluation of the\n             Smithsonian's information security program for fiscal year 2013.\n\n             We made fifteen recommendations to strengthen the Smithsonian's\n             information security program. Our recommendations addressed the\n             following control groups: configuration management, access control,\n             physical and environmental protection, contingency planning, incident\n             response, awareness and training, planning, and security assessment and\n             authorization.\n\n             Management concurred with our findings and recommendations and has\n             proposed corrective actions.\n\n             While outside of the scope of this audit, we note that management has filled\n             two key positions, Computer Security Manager and Privacy Officer. We\n             believe that filling these positions is a step to strengthening the information\n             security program at the Smithsonian.\n\n             We appreciate the courtesy and cooperation of all Smithsonian staff during\n             this review. Please call me or Joan Mockeridge, Acting Assistant Inspector\n             General for Audits, at 202.633. 7050 if you have any questions.\n             MRC 524 \n\n             POBox37012 \n\n             Washington DC 20013-0712 \n\n             202.633.7050 Telephone \n\n             202.633-7079 Fax \n\n\x0cSMITHSONIAN INSTITUTION                      OFFICE OF THE INSPECTOR GENERAL\n\n\n\n\n                            TABLE OF CONTENTS\n\n\n\nINTRODUCTION          \n                                               1\n\n\nBACKGROUND                                                            2\n\n\nRESULTS OF AUDIT                                                      3        \n\n\n     Configuration Management                                         3\n\n\n     Access Control                                                   7\n\n\n     Physical and Environmental Protection                            10\n\n\n     Contingency Planning                                             11\n\n\n     Incident Response                                                11\n\n\n     Awareness and Training                                           12\n\n\n     Planning                                                         14\n\n\n     Security Assessment and Authorization                            15\n\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY                              Appendix A\n\nPRIOR RECOMMENDATIONS FOR WHICH CORRECTIVE ACTIONS\n ARE NOT YET COMPLETE                                           Appendix B\n\nMANAGEMENT RESPONSE                                             Appendix C\n\nMAJOR CONTRIBUTORS TO THIS REPORT                               Appendix D\n\x0cSMITHSONIAN INSTITUTION                           OFFICE OF THE INSPECTOR GENERAL\n\n\n\n                                INTRODUCTION \n\n\nThe goal of information security is to enable an organization to embrace\ntechnological innovation while protecting the organization\xe2\x80\x99s information and related\nsystems. The objective of this audit was to evaluate the effectiveness of the\ninformation security program and practices at the Smithsonian Institution\n(Smithsonian). We did this by assessing the Smithsonian\xe2\x80\x99s compliance with (1) its\nsecurity policies, standards, and guidelines, and (2) the standards and guidelines\npromulgated by the National Institute of Standards and Technology (NIST).\n\nThis report presents the results of our fiscal year 2013 audit of the information\nsecurity program implemented by the Smithsonian, based largely on the work of\nClifton Larson Allen LLP (CLA), an independent audit, advisory, and public\naccounting firm.\n\nThe E-Government Act of 2002 (Pub. L. No. 107-347), which includes Title III, the\nFederal Information Security Management Act (FISMA) of 2002, was enacted to\nstrengthen the security controls of federal government information systems.\nAlthough the Smithsonian is not subject to the E-Government Act of 2002, the\nSmithsonian has adopted FISMA through its policy because it is consistent with and\nadvances the Smithsonian\xe2\x80\x99s mission and strategic goals.\n\nFISMA requires executive agencies to adopt NIST standards and guidelines as\nfederal information security compliance criteria, which form the basis of many\nSmithsonian\xe2\x80\x99s information security policies and procedures. Furthermore, FISMA\nrequires that the Office of the Inspector General (OIG) perform an annual review of\nthe organization\xe2\x80\x99s information security program. FISMA also requires organizations\nto adopt a risk-based, life-cycle approach to addressing information security that\nincludes annual security program reviews, independent evaluations by the OIG, and\nreports for the Department of Homeland Security and Congress.\n\nAppendix A contains a detailed outline of our objective, scope, and methodology,\nand Appendix B contains an update on prior recommendations that have not been\nfully implemented.\n\nManagement concurred with our findings and recommendations and has planned\ncorrective actions to address the recommendations. Refer to Appendix C for\nmanagement\xe2\x80\x99s complete response.\n\n\n\n\n                                         1\n\n\x0cSMITHSONIAN INSTITUTION \t                          OFFICE OF THE INSPECTOR GENERAL\n\n\n\n                                  BACKGROUND\n\n\nThis 2013 OIG report of the Smithsonian\xe2\x80\x99s information security program included\nreviews of the following four major systems:\n\nSmithsonian\xe2\x80\x99s General Support System (SINet) \xe2\x80\x93 SINet is the computing\ninfrastructure and core services used by Smithsonian employees and volunteers to\nperform their daily work. The services include internet, phone, email, remote\naccess, content filtering, file storage, and many others that are integral to running\nan organization the size of the Smithsonian.\n\nThe research at the Smithsonian Astrophysical Observatory (SAO) focuses on\nscientific themes such as black holes, dark matter and energy, planets, extreme\nastrophysics, and the stars. This evaluation included the review of two SAO systems\nused by the staff of the Harvard-Smithsonian Center for Astrophysics and Scientific\nResearch and their collaborators:\n\n    \xe2\x80\xa2\t Scientific Computing Infrastructure (SCI) System \xe2\x80\x93 The SCI system\n       supports the scientific research mission of SAO and is used to collect,\n       process, store, analyze, and disseminate astrophysical data as well as\n       provide the computing infrastructure to perform theoretical modeling\n       calculations. In addition, SCI consists of all components required to\n       implement scientific computing at SAO including: network and\n       telecommunications infrastructure, servers and storage arrays, scientific\n       workstations and desktops, web servers, and supporting databases.\n\n    \xe2\x80\xa2\t High Energy Astrophysics (HEA) System \xe2\x80\x93 The HEA system supports\n       scientific data reduction/computation, centralized authentication, print,\n       email, data storage, web sites, and database engines. The HEA system also\n       supports the servers that process the telemetry streams from the Chandra\n       telescope operations control center.\n\nNational Museum of Natural History (NMNH) - Research Collection\nInformation System (RCIS) \xe2\x80\x93 The RCIS system supports the management of\nover 127 million objects and specimens in diverse fields such as botany,\npaleobiology, entomology, zoology, mineral sciences, and anthropology.\nSmithsonian staff, researchers, and staff from the U.S. Geological Survey, and the\nU.S. Departments of Agriculture, Commerce, and Defense rely on this system.\n\n\n\n\n                                          2\n\n\x0cSMITHSONIAN INSTITUTION                               OFFICE OF THE INSPECTOR GENERAL\n\n\n\nSmithsonian management identified the SINet, SCI, and HEA systems as moderate\nimpact systems based on Federal Information Processing Standard (FIPS) 199,\nStandards for Security Categorization of Federal Information and Information\nSystems. FIPS 199 defines system impact as moderate if the loss of confidentiality,\nintegrity, or availability could be expected to have a serious adverse effect on\norganizational operations, organizational assets, or individuals. In addition,\nmanagement identified RCIS as a low impact system, which FIPS 199 defines as\nhaving a limited adverse effect on organizational operations, organizational assets,\nor individuals. The impact level of the system determines which controls\nmanagement should implement for the particular system.\n\n                                 RESULTS OF AUDIT\n\nThis report presents our findings and recommendations for the Office of the Chief\nInformation Officer\xe2\x80\x99s (OCIO) information security program and for each major\nsystem we reviewed.\n\n                          I. Configuration Management\n\nConfiguration management is an important process for establishing and maintaining\nsecure information system configurations, and provides support for managing\nsecurity risks in information systems.\n\nOCIO Needs to Improve Configuration Management Practices\n\nWe conducted a vulnerability assessment of the SINet infrastructure. We scanned\n189 servers, 84 workstations running Windows XP, and 98 workstations running\nWindows 7, to determine if security patches had been implemented timely. We\nused the Common Vulnerability Scoring System (CVSS)1 to determine the risk level\nof the vulnerabilities. These scans also helped us to verify whether the workstation\nsettings were configured according to the Smithsonian\xe2\x80\x99s approved configuration\nbaseline. In addition, we reviewed a sample of router and switch configurations. We\nidentified three areas where Smithsonian could strengthen configuration\nmanagement by: (1) timely implementing security patches, (2) improving\nworkstation configuration settings, and (3) deleting obsolete software.\n\n\n\n\n1\n A CVSS score is generated using a combination of factors, such as how complex of an\nattack would be needed to exploit the vulnerability, whether additional information would be\nneeded to exploit the vulnerability, and proximity of the attacker to the target host.\n\n                                             3\n\n\x0cSMITHSONIAN INSTITUTION                            OFFICE OF THE INSPECTOR GENERAL\n\n\n\nSecurity Patches\n\nWe determined that some security patches were not applied in a timely manner and\nmanagement did not maintain compliance waivers to document the business\njustification for not installing the patch. Some unpatched critical and high-risk\nvulnerabilities were more than 12 months old. The five critical and most of the\nhigh-risk vulnerabilities on the servers were in older versions of software. This was\nalso the case with the workstation vulnerabilities.\n\nSmithsonian Technical Notes, IT-960-TN02, Patch and Update Management of\nDesktop Computers, and IT-960-TN33, Microsoft Server Patching, provide\nprocedures for evaluating and implementing patches and service packs for Microsoft\nserver and workstation operating systems. For desktops, the process for installing\ncritical patches should begin the day that they are released, and all other patches\nare generally installed the following month after they are released. For servers\nrunning Microsoft operating systems, all patching must occur within 5 business days\nof the release. These technical notes also assign responsibility for enforcing\ncompliance and maintaining a record of all compliance waivers to the Information\nTechnology (IT) Security Staff.\n\nIf critical patches are not applied in a timely manner, the Smithsonian is at an\nincreased risk of attackers exploiting known vulnerabilities in its systems.\n\nWorkstation Configuration Settings\n\nWe found discrepancies between the configuration applied to the Microsoft Windows\nworkstations and the United States Government Configuration Baseline (USGCB)\nsettings. Our compliance testing tools reported that approximately 10 percent of\nthe 263 USGCB settings were not implemented.\n\nThe USGCB settings are promulgated by NIST and are the result of a Federal\ngovernment-wide initiative to improve and maintain effective configuration settings,\nfocusing primarily on security. NIST recommends that organizations make risk-\nbased decisions as they customize the baseline to support functional requirements\nin their operational environments and document any changes to the USGCB\nsettings.\n\nThe Smithsonian Technical Standards and Guidelines, IT-930-02, Security Controls\nManual identifies the USGCB settings as the baseline for Microsoft Windows\nworkstations. However, there may be cases where employees, such as scientists\nand researchers, may need to use a non-compliant configuration setting to run\n\n\n\n                                          4\n\n\x0cSMITHSONIAN INSTITUTION                          OFFICE OF THE INSPECTOR GENERAL\n\n\n\nspecialized software or equipment. Smithsonian Technical Note IT-960-TN31,\nSecurity Configuration Management of Baselines allows the OCIO Baseline Manager\nto request deviations from the baseline configuration if they adequately document\nthe deviation and get approval from the Change Control Board. Although\nmanagement prepared a report contrasting the differences and accepting the risk\nbetween the USGCB settings and the existing configuration settings, they did not\nidentify specific causes or reasons for the deviations.\n\nIf management does not document the potential risk and the business reasons for\nnot implementing USGCB configuration settings, they cannot be fully aware of their\noperational risks.\n\nObsolete Software\n\nWe determined that some network equipment had software versions that were no\nlonger supported by the manufacturer. For example, some switches and routers\nwere running iOS version 12.3, which the manufacturer stopped supporting on\nMarch 15, 2012. Many of the server and workstation vulnerabilities we reported\nabove were due to software that was no longer supported by the manufacturer. We\nalso noted that at the time of our audit, the Smithsonian had several hundred\nworkstations running Windows XP, which Microsoft stopped supporting in April\n2014.\n\nBecause of the risk of continuing to use Windows XP after support ended, OCIO\nassigned responsibility for replacing workstations running Windows XP to the\nPeriodic Desktop Hardware Replacement Program. Most of those workstations\nwere due to be replaced before Microsoft ended support for Windows XP.\nManagement did not have a similar plan for the routers and switches with obsolete\nsoftware.\n\nAccording to NIST special publication 800-40, revision 3, Guide to Enterprise Patch\nManagement Technologies, as vendors stop issuing patches to address new security\nvulnerabilities, the unsupported software becomes less secure and more vulnerable\nto intrusions than the current versions of the software.\n\nIt is necessary to upgrade obsolete products to versions that have ongoing support\nfor patching newly discovered vulnerabilities.\n\n\n\n\n                                        5\n\n\x0cSMITHSONIAN INSTITUTION                            OFFICE OF THE INSPECTOR GENERAL\n\n\n\nRecommendations\n\nTo strengthen configuration management, we recommend that the Chief\nInformation Officer:\n\n   1. Ensure that IT security staff enforce compliance with patching requirements\n      and, when appropriate, document compliance waivers.\n\n   2. Improve the documentation of USGCB setting deviations to include \n\n      consideration of risk and the reason for each deviation. \n\n\n   3. Upgrade router and switch software versions that are no longer supported\n      by the manufacturer.\n\nWe provided the detailed scanning results to management to assist them in\naddressing these recommendations.\n\nSAO Needs to Improve Configuration Change Control Procedures\n\nSAO management did not consistently retain change and configuration\ndocumentation. In addition, SAO did not consistently request approval from the\nChange Control Board for configuration changes for the SCI and HEA systems.\n\nSAO IT staff did not consistently follow configuration management procedures when\nperforming necessary system updates. For example, staff did not provide evidence\nof change requests, approvals, specifications, or test results for any of the six SCI\nsystem changes we sampled.\n\nIn addition, for a sample of six HEA system changes, staff did not provide evidence\nof approval for two of them. For the other four, staff did not provide evidence of\nchange requests, approvals, specifications, or test results.\n\nThe Smithsonian Technical Standards and Guidelines, IT-930-02, Security Controls\nManual, Section 3.5.5, Configuration Change Control (CM-3), states that for\nmoderate impact systems, defined as having a serious adverse effect on\norganizational operations, organizational assets, or individuals if there were to be a\nloss of confidentiality, integrity, or availability, the IT System Manager or Major\nSystem Sponsor must document and control major changes to the information\nsystem.\n\n\n\n\n                                          6\n\n\x0cSMITHSONIAN INSTITUTION \t                         OFFICE OF THE INSPECTOR GENERAL\n\n\n\nAccording to Smithsonian Technical Note IT-960-TN01, Change Management, the\nchange management process consists of:\n\n   \xe2\x80\xa2\t Creating a change ticket;\n   \xe2\x80\xa2\t Approving the change ticket;\n   \xe2\x80\xa2\t Notifying customers and IT support staffs of a change when \n\n      appropriate; and\n\n   \xe2\x80\xa2\t Closing the change ticket following implementation.\n\nAlso, NIST SP 800-53 Rev. 3 recommends that the organization test,\nvalidate, and document configuration management changes.\n\nIn the event SAO management does not document, approve, or test\nconfiguration changes, those changes could have consequences that\nadversely affect the system\xe2\x80\x99s environment, such as the introduction of new\nsecurity vulnerabilities or incompatibilities with other system components.\n\nRecommendation\n\nWe recommend that the SAO\xe2\x80\x99s Computation Facility Department Manager:\n\n   4. Enforce configuration management procedures for the SCI and HEA \n\n      systems to include tracking changes, approvals, testing, and \n\n      implementation in accordance with Smithsonian policy.\n\n\n\n                               II. Access Control\n\nAccess controls limit or detect access to computer resources such as data,\nprograms, equipment, and facilities. These controls help to protect these resources\nagainst unauthorized or accidental modification, loss, and disclosure.\n\nOCIO Needs to Strengthen Remote Access Procedures\n\nManagement has developed policies for authorizing connections. However, we\nfound that the Smithsonian has not established policies or procedures for detecting\nand removing unauthorized remote connections. For example, unauthorized\nconnections may include (1) wireless connections to a second network while\nconnected to the Smithsonian network, or (2) an alternative internet service\ninstalled by a user to bypass the Smithsonian\xe2\x80\x99s firewall or remote access controls.\n\n\n\n\n                                         7\n\n\x0cSMITHSONIAN INSTITUTION                          OFFICE OF THE INSPECTOR GENERAL\n\n\n\nNIST Special Publication 800-53, revision 3, Recommended Security Controls for\nFederal Information Systems and Organizations, states that an organization should\nmonitor for unauthorized remote connections to the information system, and take\nappropriate action if an unauthorized connection is discovered.\n\nAn unauthorized connection could permit an attacker to circumvent the\nSmithsonian\xe2\x80\x99s access controls and expose the Smithsonian\xe2\x80\x99s systems to\nunauthorized access, data manipulation, and system unavailability.\n\nRecommendation\n\nTo ensure that unauthorized remote access is monitored, we recommend that the\nChief Information Officer:\n\n   5. Develop, document, and implement policies and procedures for detecting\n      and removing unauthorized connections.\n\nSAO Needs to Improve Account Management Procedures for Inactive HEA\nAccounts\n\nSAO management did not consistently disable or terminate inactive accounts for the\nHEA system.\n\nFor the HEA system, we tested all 416 application accounts and noted that 4 of\nthem were not disabled after 90 days of inactivity or when employment was\nterminated. These four accounts remained active at the time management\ngenerated the accounts report. Three accounts were disabled upon auditor inquiry,\nand one was already locked. Management determined that the locked account\nbelonged to a separated employee and became locked due to a bad password.\nTherefore, the account could not be accessed.\n\nThe Smithsonian Technical Standards and Guidelines, IT-930-02, Security Controls\nManual, version 3.8, states that system administrators are responsible for\nreviewing accounts once every 30 days to identify accounts that have been inactive\nfor 90 days. System administrators should disable accounts that have been inactive\nfor 90 days. The system administrator must take appropriate action to change or\ndelete the accounts of transferred or terminated users and notify that user\xe2\x80\x99s unit\nmanager that the account has been disabled and will be deleted after another 90\ndays unless the manager requests that the account be re-enabled.\n\n\n\n\n                                        8\n\n\x0cSMITHSONIAN INSTITUTION                           OFFICE OF THE INSPECTOR GENERAL\n\n\n\nIn these cases, SAO management did not follow Smithsonian policy for de-\nactivating inactive accounts.\n\nBy not disabling inactive accounts or accounts from separated employees, SAO\ncould be subject to unauthorized access, which could lead to data loss, data\nmanipulation, or system unavailability.\n\nRecommendation\n\nWe recommend that SAO\xe2\x80\x99s Computation Facility Department Manager:\n\n   6. Ensure that HEA accounts are reviewed and disabled after 90 days of \n\n      inactivity or upon personnel/affiliate\xe2\x80\x99s departure.\n\n\nNMNH Needs to Improve Account Modification Procedures\n\nWe selected a sample of eight RCIS user accounts. We identified one account that\nwas granted a group permission without approval documented on an Account\nModification form. In addition, we identified one user account that belonged to an\nemployee who had transferred positions and no longer required system access.\n\nSmithsonian Technical Standards and Guidelines, IT-930-02, Security Controls\nManual, version 3.8, states that system administrators are required to review\naccounts on a monthly basis to identify any transfers or terminations and take\nappropriate action to change or delete the user\xe2\x80\x99s account.\n\nIn addition, all changes to RCIS user accounts should be recorded using the\nAccount Modification form. This form is used to document when a user changes\npermission groups, when an appointment end date is extended, or when an account\nneeds to be deleted.\n\nThe addition of a group permission to an RCIS user occurred because NMNH did not\ndocument bulk changes to user permissions. For the user who transferred positions,\nthe user\xe2\x80\x99s account remained active because the appropriate staff did not review and\ndisable his or her account when access was no longer necessary.\n\nBy management not enforcing the use of Account Modification forms, there was an\nincreased risk that users could obtain inappropriate permissions. Inappropriate\naccess may have increased the risk of data loss, data manipulation, and system\nunavailability.\n\n\n\n\n                                         9\n\n\x0cSMITHSONIAN INSTITUTION \t                         OFFICE OF THE INSPECTOR GENERAL\n\n\n\nRecommendations\n\nWe recommend that NMNH\xe2\x80\x99s Branch Chief for Informatics:\n\n   7.\t Ensure changes to the RCIS user accounts, including modifications of\n\n       group permissions, are appropriately documented in an Account \n\n       Modification form. \n\n\n   8.\t Ensure that RCIS accounts are reviewed and disabled when they are no\n       longer necessary when employees transfer positions.\n\n                III. Physical and Environmental Protection\n\nPhysical protection (1) limits physical access to information systems, equipment,\nand the operating environments to authorized individuals only; and (2) protects the\nfacility and support infrastructure housing information systems.\n\nSAO SCI Management Needs to Improve Physical Access Monitoring\nCapability in the Computer Room\n\nWe observed the physical access monitoring capabilities of the SAO SCI computer\nroom, and found that management did not ensure all of the entrances were\nadequately captured by video cameras. Specifically, we found that the computer\nroom had video surveillance of the front entrance, but there was no camera\ncoverage of the rear and side doors.\n\nNIST Special Publication 800-53, revision 3, Recommended Security Controls for\nFederal Information Systems and Organizations, states that an organization should\nmonitor physical access to the information system to detect and respond to physical\nsecurity incidents. Physical access controls require that an organization monitor\nreal-time physical intrusion alarms and surveillance equipment.\n\nLacking the capability to physically monitor all doors may provide an opportunity for\nindividuals to gain unauthorized access to critical hardware and hinder the\ninvestigation of and response to physical security incidents.\n\nRecommendation\n\nWe recommend that SAO\xe2\x80\x99s Computation Facility Department Manager:\n\n   9.\t Ensure video surveillance coverage of all entrances to the SAO SCI \n\n       computer room. \n\n\n\n                                         10\n\n\x0cSMITHSONIAN INSTITUTION                           OFFICE OF THE INSPECTOR GENERAL\n\n\n\nDuring the course of our audit, management installed another video camera to\nenable the monitoring of all physical access. Therefore, we have closed this\nrecommendation as of the date of this report.\n\n\n                           IV. Contingency Planning\n\nContingency planning establishes, maintains, and effectively implements plans for\nemergency response, backup operations, and post-disaster recovery. These plans\nensure the continuity of operations in emergency situations.\n\nOCIO Needs to Improve Information System Backups\n\nWe examined backup processes for the 4 systems we reviewed. However,\nmanagement did not provide evidence to indicate that backups were performed or\nthat restoration tests were conducted for SINet.\n\nBy not adequately ensuring the reliability and integrity of backed-up information,\nthere is a risk that in the event of a disaster, critical information may not be\nsuccessfully restored.\n\nThe Smithsonian Technical Standards and Guidelines, IT-930-02, Security Controls\nManual, version 3.8, states that all systems must create backups of user-level and\nsystem-level information contained in the information system on at least a daily\nbasis. In addition, all systems must employ mechanisms with supporting\nprocedures to allow the information system to be recovered and reconstituted to\nthe system\xe2\x80\x99s original state after a disruption or failure.\n\nRecommendations\n\nWe recommend that the Chief Information Officer:\n\n   10. Implement corrective action to restore SINet backup processes and \n\n       capabilities. \n\n\n   11. Periodically perform restoration tests using backup media.\n\n\n                             V. Incident Response\n\nIncident response includes adequate preparation, detection, analysis, containment,\nrecovery, and user response activities. Incidents must be tracked, documented, and\nreported to appropriate organizational officials and/or authorities.\n\n\n\n                                         11\n\n\x0cSMITHSONIAN INSTITUTION                             OFFICE OF THE INSPECTOR GENERAL\n\n\n\nOCIO Needs to Ensure That Staff are Appropriately Trained on Reporting\nIncidents to US-CERT\n\nWe reviewed ten incidents that the Smithsonian was required to report to the\nUnited States Computer Emergency Readiness Team (US-CERT). Management did\nnot provide evidence that one of the sampled incidents was reported to US-CERT.\n\nThe Smithsonian\xe2\x80\x99s Technical Standards and Guidelines, IT-930-TN30, Incident\nResponse Plan, version 1.3, assigned responsibility to the OCIO Director for\nComputer Security or a designated Security Operations Center representative for\ncollecting and reporting data to US-CERT.\n\nWe determined that for the one incident not reported, the staff was not properly\ntrained on reporting incidents to the US-CERT as well as what documentation\nshould be retained.\n\nBy not reporting all appropriate security incidents, the Smithsonian\xe2\x80\x99s and the US-\nCERT\xe2\x80\x99s ability to detect, identify, and respond to suspected or actual breaches of\nthe Smithsonian\xe2\x80\x99s computer applications, systems, or network was less effective.\n\nRecommendation\n\nWe recommend that the Chief Information Officer:\n\n   12. Ensure personnel responsible for reporting incidents to US-CERT have\n       adequate guidance so that all incidents are reported timely.\n\n                          VI. Awareness and Training\n\nOrganizations must ensure that managers and users are made aware of the\nsecurity risks associated with their activities and of the applicable laws, Executive\nOrders, directives, policies, standards, instructions, regulations, or procedures\nrelated to the security of the organization.\n\nSmithsonian Needs to Ensure that All Personnel Receive Appropriate\nSecurity Training\n\nAll Smithsonian employees and volunteers with a Smithsonian network account\nmust take the Smithsonian\xe2\x80\x99s Computer Security Awareness Training (CSAT). CSAT\ntrains personnel on matters of information systems security, privacy, and physical\nsecurity, such as granting access to visitors.\n\n\n\n                                          12\n\n\x0cSMITHSONIAN INSTITUTION                           OFFICE OF THE INSPECTOR GENERAL\n\n\n\nIn addition, the Smithsonian offers security and privacy awareness training to all\nemployees, including volunteers, when they are credentialed. The employees and\nvolunteers must indicate with their signature that they have received the security\nand privacy awareness training. However, credentialed volunteers that do not have\nnetwork accounts do not receive annual security and privacy awareness training\nbecause they are only credentialed once every three years.\n\nWe reviewed the CSAT records of 26 employees and volunteers who began work\nduring fiscal year 2013. We found that six volunteers had not taken the\nSmithsonian\xe2\x80\x99s CSAT because their job duties did not require network accounts.\n\nThe Office of Management and Budget Memorandum (M-12-20) FY 2012 Reporting\nInstructions for the Federal Information Security Management Act and Agency\nPrivacy Management clarifies the intention of FISMA by requiring that all employees\nreceive annual security and privacy awareness training even if they do not access\nelectronic information systems.\n\nThe Smithsonian had not yet ensured that credentialed volunteers without network\naccounts receive annual security training.\n\nSmithsonian personnel without network accounts may not get adequate security\ntraining on Smithsonian physical security matters, privacy, and other non-IT issues.\n\nFor example, they may not know the policies and procedures for:\n\n   \xe2\x80\xa2   Addressing visitors without Smithsonian badges at restricted areas,\n   \xe2\x80\xa2   Handling personally identifiable information, or\n   \xe2\x80\xa2   Using personal social media accounts.\n\nRecommendation\n\nWe recommend that the Chief Information Officer in coordination with the Office\nof Protective Services and the Privacy Officer:\n\n   13. Provide guidance to employee sponsors of volunteers requiring them to\n       update their volunteers\xe2\x80\x99 security awareness training annually.\n\n\n\n\n                                         13\n\n\x0cSMITHSONIAN INSTITUTION                           OFFICE OF THE INSPECTOR GENERAL\n\n\n\n                                  VII. Planning\n\nThe system security plan provides an overview of the security requirements of a\nsystem and describes the controls in place or planned for meeting those\nrequirements. The system security plan also identifies responsibilities and\nexpected behavior of all individuals who access the system.\n\nManagement Needs to Update the SCI System Security Plan\n\nSAO management did not have an updated SCI System Security Plan (SSP). We\nreviewed the SSP and determined that it was not current, accurate, or complete for\nthe following sections:\n\n   \xe2\x80\xa2   Firewall Policies\n   \xe2\x80\xa2   Modems and Other SINet Remote Access Methods\n   \xe2\x80\xa2   Network Router/Switch Installations and Configurations\n   \xe2\x80\xa2   Identification and Authentication of Organizational Users\n   \xe2\x80\xa2   Device Identification and Authentication\n   \xe2\x80\xa2   Baseline Configuration\n   \xe2\x80\xa2   Configuration Management Plan\n   \xe2\x80\xa2   Information System Backup\n   \xe2\x80\xa2   Identification and Authentication of Non-Organizational Users\n   \xe2\x80\xa2   Monitoring Physical Access\n\nAccording to NIST Special Publication 800-53, revision 3, Recommended Security\nControls for Federal Information Systems and Organizations, an organization\nshould update the SSP to address changes to the information system/environment\nof operation or problems identified during plan implementation or security control\nassessments.\n\nSAO management did not update the SSP template for the SCI environment. By not\nensuring that the SSP was current, there was a risk that security controls could be\nincomplete or missing. In addition, staff who rely on the SSP for risk assessment or\nother purposes may make erroneous decisions based on the information in the\nplan.\n\nRecommendation\n\nWe recommend that SAO\xe2\x80\x99s Computation Facility Department Manager:\n\n   14. Perform a review of SCI\xe2\x80\x99s SSP to ensure that all security control sections\n       are current, accurate, and complete.\n\n\n\n                                         14\n\n\x0cSMITHSONIAN INSTITUTION                            OFFICE OF THE INSPECTOR GENERAL\n\n\n\nDuring the course of our audit, we verified that SAO management updated their SCI\nSSP to address the areas that were not current, accurate, or complete. Therefore,\nwe have closed this recommendation as of the date of this report.\n\n               VIII. Security Assessment and Authorization\n\nOrganizations must periodically assess the security controls in organizational\ninformation systems to determine if the controls are effective in their application.\n\nSAO HEA Staff Need to Report on Continuous Monitoring Activities\n\nWe reviewed OCIO\xe2\x80\x99s monitoring logs and noted that HEA staff had not submitted\nthe required quarterly monitoring reports. The Smithsonian Technical Standards\nand Guidelines IT-930-02, Security Controls Manual, version 3.8, specifies quarterly\nreports and reviews that managers of major systems are required to perform and\nsubmit to the OCIO security program.\n\nAccording to management, HEA staff had not consistently submitted the required\nreports due to limited program and system resources. HEA staff may not detect\nsystem flaws, security vulnerabilities, or system exploitations if they do not perform\nmonitoring activities. If HEA staff do not provide evidence of monitoring activities to\nOCIO, management will not have the information it requires to determine if the\nsystem is being adequately or effectively monitored.\n\nRecommendation\n\nWe recommend that SAO\xe2\x80\x99s Computation Facility Department Manager:\n\n   15. Ensure that SAO HEA staff provide quarterly monitoring reports to OCIO.\n\nDuring the course of our audit, SAO management began submitting quarterly\nmonitoring reports and audit log reviews to OCIO. Therefore, we have closed\nthis recommendation as of the date of this report.\n\n\n\n\n                                          15\n\n\x0cSMITHSONIAN INSTITUTION                           OFFICE OF THE INSPECTOR GENERAL\n\n\n\n                                                                      APPENDIX A\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of this audit was to evaluate the effectiveness of the Smithsonian\xe2\x80\x99s\ninformation security program and practices. We did this by assessing the\nSmithsonian\xe2\x80\x99s compliance with (1) its security policies, standards, and guidelines,\nand (2) the standards and guidelines promulgated by the National Institute of\nStandards and Technology.\n\nThis audit was prepared based on information available as of September 30, 2013.\nHowever, we did review data subsequent to September 30, 2013, to close\nrecommendations as of the date of this report.\n\nClifton Larson Allen audited the Smithsonian\xe2\x80\x99s information security program on\nbehalf of the OIG. Their work covered nine of the eleven major control areas in the\nscope of the audit, with the remaining two performed by OIG auditors.\n\nWe provided oversight and review of CLA\xe2\x80\x99s work and determined that it was\nconducted in accordance with Government Auditing Standards, December 2011\nRevision, promulgated by the Comptroller General of the United States. Those\nstandards require that the work is planned and performed to obtain sufficient,\nappropriate evidence that provides a reasonable basis for the findings and\nconclusions based on the audit objective. We believe that the evidence CLA\nobtained provides a reasonable basis for our findings and conclusions based on the\naudit objective.\n\nCLA developed a three-year review rotation plan, in consultation with the OIG, to\nreview the Smithsonian\xe2\x80\x99s major systems. CLA reviewed the following four major\nsystems in FY 2013:\n\n    1. The Smithsonian\xe2\x80\x99s General Support System\n    2. Smithsonian Astrophysical Observatory - Scientific Computing Infrastructure\n       System\n    3. Smithsonian Astrophysical Observatory - High Energy Astrophysics System\n    4. National Museum of Natural History - Research Collection Information\n       System\n\nOur methodology included performing security reviews of the Smithsonian\xe2\x80\x99s\ninformation technology infrastructure and reviewing the Smithsonian\xe2\x80\x99s Plans of\nAction and Milestones. We performed procedures to test: (a) the implementation of\na Smithsonian-wide security program; and (b) operational and technical controls\n\n\n                                         A-1\n\x0cSMITHSONIAN INSTITUTION                             OFFICE OF THE INSPECTOR GENERAL\n\n\n\nspecific to each application such as service continuity, logical access, and change\nmanagement controls. We also interviewed the Office of the Chief Information\nOfficer staff and major system owners and sponsors.\n\nGenerally, all tests were performed to assess the Smithsonian\xe2\x80\x99s technical,\noperational, and management controls over its information security program. For\nsome of the tests performed, we selected samples. Because the samples we\nselected were not statistical, we cannot project the results of our findings related to\nthese areas across the population.\n\nIn addition, we evaluated management\xe2\x80\x99s actions to address recommendations from\nprevious FISMA evaluation reports. The results of this evaluation are in Appendix B.\n\nWe conducted this performance audit in Washington, DC; Herndon, VA; as well as\nBoston, MA from October 2013 through March 2014, in accordance with generally\naccepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objectives. We believe\nthat the evidence we obtained provides a reasonable basis for our findings and\nconclusions based on our audit objective.\n\n\n\n\n                                         A-2\n\x0cSMITHSONIAN INSTITUTION                                  OFFICE OF THE INSPECTOR GENERAL\n\n\n\n                                                                               APPENDIX B\n\nPrior Recommendations For Which Corrective Actions Are Not Yet Complete\n\n                                                                                    Current\n    Report                             Recommendation\n                                                                                    Status\nFY 2010             Update SD 920 and other related documents to provide           Target date\nEvaluation of the   clear criteria for designating systems for inclusion in the        for\nSmithsonian         Institution\xe2\x80\x99s FISMA inventory.                                 completion\nInstitution                                                                        8/30/2014\nInformation         Implement controls to ensure that all SI-owned                 Target date\nSecurity Program    laptops/mobile devices that may be used to store                   for\n                    sensitive information are secured with an appropriate          completion\n                    encryption technology.\n                                                                                   6/30/2014\nManagement          Direct Unit IT staff to determine which laptop computers\nAdvisory            in their inventory may be used to store sensitive data\nRegarding           and, with assistance from OCIO, configure those\nPortable            computers with whole drive encryption.\nComputer            Direct Unit IT staff to identify all laptop computers that     Target date\nEncryption          will not be configured with encryption and clearly                 for\n                    indicate to users with a prominent label that those\n                                                                                   completion\n                    computers must not be used to store sensitive\n                    information.                                                   6/30/2014\n                    Revise IT-930-TN28 to assign responsibility to staff with\n                    the knowledge and skills to ensure laptop computers are\n                    configured with appropriate encryption technology.\n\nFY 2012             Work with system managers to more quickly test\nEvaluation of the   security patches and updates and remediate\nSmithsonian         all critical and high\xe2\x80\x90risk vulnerabilities identified in the\n                    vulnerability assessment that OIG provided to\nInstitution\n                    management.\nInformation\n                    Monitor Smithsonian workstations for the presence of\nSecurity Program    unapproved software and timely                                 Target date\n                    maintenance of approved software and enforce the                   for\n                    existing policy requiring units to maintain products that\n                                                                                   completion\n                    are approved.\n                    Implement all US Government Configuration Baseline             11/19/2014\n                    configuration settings for which there is not an approved\n                    deviation.\n                    Ensure that the system managers provide quarterly\n                    monitoring and reporting on account management\n                    activities and audit log reviews to the OCIO Security\n                    Program.\n\n\n\n\n                                             B-1\n\n\x0cSMITHSONIAN INSTITUTION         OFFICE OF THE INSPECTOR GENERAL\n\n\n\n                                                 APPENDIX C\nMANAGEMENT RESPONSE\n\n\n\n\n                          C-1\n\x0cSMITHSONIAN INSTITUTION           OFFICE OF THE INSPECTOR GENERAL\n\nMANAGEMENT RESPONSE (CONTINUED)\n\n\n\n\n                          C-2\n\x0cSMITHSONIAN INSTITUTION           OFFICE OF THE INSPECTOR GENERAL\n\nMANAGEMENT RESPONSE (CONTINUED)\n\n\n\n\n                          C-3\n\x0cSMITHSONIAN INSTITUTION           OFFICE OF THE INSPECTOR GENERAL\n\n\n\nMANAGEMENT RESPONSE (CONTINUED)\n\n\n\n\n                          C-4\n\x0cSMITHSONIAN INSTITUTION                          OFFICE OF THE INSPECTOR GENERAL\n\n\n\n                                                                  APPENDIX D\n\nMAJOR CONTRIBUTORS TO THIS REPORT\n\nClifton Larson Allen LLP\nBruce Gallus, Supervisory Auditor\nWilliam Hoyt, Assistant Inspector General for Operations\nJoseph Benham, Auditor\n\n\n\n\n                                       D-1 \n\n\x0c"